Author
Eik List
Other affiliations: Weimar Institute
Bio: Eik List is an academic researcher from Bauhaus University, Weimar. The author has contributed to research in topics: Block cipher & Encryption. The author has an hindex of 13, co-authored 47 publications receiving 549 citations. Previous affiliations of Eik List include Weimar Institute.
Papers
More filters
••
03 Mar 2014TL;DR: This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013 and demonstrates the drawback of the intensive optimizations in Simon andspeck.
Abstract: This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013. We describe attacks on up to slightly more than half the number of rounds. While our analysis is only of academic interest, it demonstrates the drawback of the intensive optimizations in Simon and Speck.
132 citations
••
19 Aug 2018
TL;DR: This paper proposes with Rastaa a design strategy for symmetric encryption that has ANDdepth d and at the same time only needs d ANDs per encrypted bit, and is to the best of the knowledge the first attempt that minimizes both metrics simultaneously.
Abstract: Recent developments in multi party computation (MPC) and fully homomorphic encryption (FHE) promoted the design and analysis of symmetric cryptographic schemes that minimize multiplications in one way or another. In this paper, we propose with Rastaa design strategy for symmetric encryption that has ANDdepth d and at the same time only needs d ANDs per encrypted bit. Even for very low values of d between 2 and 6 we can give strong evidence that attacks may not exist. This contributes to a better understanding of the limits of what concrete symmetric-key constructions can theoretically achieve with respect to AND-related metrics, and is to the best of our knowledge the first attempt that minimizes both metrics simultaneously. Furthermore, we can give evidence that for choices of d between 4 and 6 the resulting implementation properties may well be competitive by testing our construction in the use-case of removing the large ciphertext-expansion when using the BGV scheme.
65 citations
••
03 Mar 2014TL;DR: In this paper, the authors proposed CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provides some defense against malicious message modifications, while the latter is inherently sequential.
Abstract: Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof.
43 citations
••
14 Feb 2017TL;DR: An authenticated encryption scheme, called SIVx, that preserves BBB security also in the case of unlimited nonce reuses, based on a tweakable block cipher based on PMAC2x, which is motivated by PMAC_TBC1k by Naito.
Abstract: This paper proposes an authenticated encryption scheme, called SIVx, that preserves BBB security also in the case of unlimited nonce reuses. For this purpose, we propose a single-key BBB-secure message authentication code with 2n-bit outputs, called PMAC2x, based on a tweakable block cipher. PMAC2x is motivated by PMAC_TBC1k by Naito; we revisit its security proof and point out an invalid assumption. As a remedy, we provide an alternative proof for our construction, and derive a corrected bound for PMAC_TBC1k.
28 citations
•
TL;DR: In this paper, the first full-round attacks on the PRESENT and LED lightweight ciphers were proposed, using the independent-biclique approach which has been developed recently.
Abstract: In this paper, we propose the first full-round attacks on the PRESENT and LED lightweight ciphers. In our attacks, we use the independent-biclique approach which has been developed recently. The proposed attacks on PRESENT-80 and PRESENT-128 require 2 and 2 chosen plaintexts, and have time complexities of 2 and 2 respectively. Our attacks on LED-64 and LED-128 need 2 and 2 chosen plaintexts and the time complexities are equivalent to 2 and 2 encryptions.
26 citations
Cited by
More filters
••
07 Jun 2015TL;DR: Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design and these goals were balanced in the design of Simon and Speck.
Abstract: The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.
504 citations
•
TL;DR: It is suggested that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), and it is shown that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.
Abstract: We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.
291 citations
••
07 Dec 2014TL;DR: An automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding ( related-keys) differential characteristics automatically for bit- oriented block c iphers are proposed.
Abstract: We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.
278 citations
••
14 Aug 2016TL;DR: This paper considers attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states, and shows that the most widely used modes of operation for authentication and authenticated encryption are completely broken in this security model.
Abstract: Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it.
We study applications of a quantum procedure called Simon's algorithm the simplest quantum period finding algorithm in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires $$\varOmega 2^{n/2}$$ queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only On queries in the quantum model.
We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF.
Second, we show that Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.
260 citations
•
TL;DR: The U.S. National Security Agency developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable.
Abstract: The U.S. National Security Agency (NSA) developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable. This paper summarizes the algorithms, their design rationale, along with current cryptanalysis and implementation results.
259 citations